From 2ee379b45dfd3414a98d4244bf2a0664e68e8bdd Mon Sep 17 00:00:00 2001 From: guenther Date: Mon, 4 Jan 2010 02:48:56 +0000 Subject: Don't decrement the refcnt on a plimits until after we're done copying it, so that the process can't sleep in pool_get() and have the source structure get pool_put() or modified behind its back. ok deraadt@ --- sys/kern/kern_resource.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index f50d88b5263..bb33c7756dd 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_resource.c,v 1.33 2008/05/22 17:04:59 thib Exp $ */ +/* $OpenBSD: kern_resource.c,v 1.34 2010/01/04 02:48:56 guenther Exp $ */ /* $NetBSD: kern_resource.c,v 1.38 1996/10/23 07:19:38 matthias Exp $ */ /*- @@ -231,8 +231,11 @@ dosetrlimit(struct proc *p, u_int which, struct rlimit *limp) return (error); if (p->p_p->ps_limit->p_refcnt > 1 && (p->p_p->ps_limit->p_lflags & PL_SHAREMOD) == 0) { - p->p_p->ps_limit->p_refcnt--; - p->p_p->ps_limit = limcopy(p->p_p->ps_limit); + struct plimit *l = p->p_p->ps_limit; + + /* limcopy() can sleep, so copy before decrementing refcnt */ + p->p_p->ps_limit = limcopy(l); + l->p_refcnt--; alimp = &p->p_rlimit[which]; } -- cgit v1.2.3-59-g8ed1b